Fix remediation trigger permission boundary for create-pr workflow

[strawgate]

Summary

• update scripts/dogfood.sh remediation generation logic so trigger workflows chained to gh-aw-create-pr-from-issue always include actions: read at top-level permissions, while still elevating contents/pull-requests to write
• restore explicit issue-only safe-output add-comment settings in .github/workflows/gh-aw-create-pr-from-issue.md (max: 1, issues: true, pull-requests: false, discussions: false)
• regenerate the affected workflow outputs: .github/workflows/trigger-text-auditor.yml, .github/workflows/trigger-docs-patrol.yml, .github/workflows/trigger-framework-best-practices.yml, and .github/workflows/gh-aw-create-pr-from-issue.lock.yml

Test plan

• make compile
• make lint-workflows
• verified generated remediation trigger workflows include actions: read
• verified generated .github/workflows/gh-aw-create-pr-from-issue.lock.yml safe-output jobs no longer request discussions: write permissions

---

The body of this PR is automatically managed by the Trigger Update PR Body workflow.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: de652a63-030c-42fc-a653-0ec1d2d8c1c6

📥 Commits

Reviewing files that changed from the base of the PR and between da60386 and 87b7863.

📒 Files selected for processing (6)

• .github/workflows/gh-aw-create-pr-from-issue.lock.yml
• .github/workflows/gh-aw-create-pr-from-issue.md
• .github/workflows/trigger-docs-patrol.yml
• .github/workflows/trigger-framework-best-practices.yml
• .github/workflows/trigger-text-auditor.yml
• scripts/dogfood.sh

---

📝 Walkthrough

Walkthrough

This PR modifies GitHub Actions workflow permissions and configurations across multiple files. It updates the gh-aw-create-pr-from-issue lock file and documentation to restrict comment operations to issues only, adds actions: read permission to three trigger workflows (trigger-docs-patrol, trigger-framework-best-practices, trigger-text-auditor), removes discussions: write permission from three job blocks, and enhances scripts/dogfood.sh to use a more sophisticated awk-based approach for permission modifications instead of simple sed substitution.

Possibly related PRs

• Update actions permissions #400: Adds permissions.actions: read to multiple workflow files
• Wire up EXTRA_COMMIT_GITHUB_TOKEN for trigger workflows #480: Modifies scripts/dogfood.sh and updates trigger workflow permissions
• Fix deep-research trigger: grant pull-requests: write #489: Updates workflow permissions to grant pull-requests: write access

Suggested labels

medium_boom

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/trigger-text-auditor-permissions

• 🛠️ Update Documentation: Commit on current branch
• 🛠️ Update Documentation: Create PR

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}